Hack of MacRumors forums exposes password data for 860,000 users

MacRumors user forums have been breached by hackers who may have acquired cryptographically protected passwords belonging to all 860,000 users, one of the top editors of the news website said Tuesday evening.

"In situations like this, it's best to assume that your MacRumors Forum username, e-mail address and (hashed) password is now known," Editorial Director Arnold Kim wrote in a short advisory. He went on to advise users to change their passwords for their MacRumors accounts and any other website accounts that were protected by the same passcode.

The MacRumors intrusion involved "a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials," Kim said. MacRumors is still investigating how the attacker managed to compromise the privileged account.

"We're not sure how the original moderator's password was obtained, but it seems like they just logged in with it," Kim wrote in an e-mail to Ars. "We are looking into it further to see if there was another exploit, but there hasn't been any evidence of it yet." Kim also told Ars that log files examined so far seem to indicate that the intruder "tried to access" the password database. At this early stage, there are no indications that the passwords, either in cryptographically hashed or cracked format, are circulating online. There's also no sign that the hackers were able to access any other data than that belonging to the use forums.

Kim went on to compare the hack to one that hit Ubuntu forums in July. The Ubuntu breach exposed cryptographically hashed password data for an estimated 1.82 million users to hackers who went on to deface the site's home page. Like the Ubuntu forums, MacRumors used the MD5 algorithm, along with a per-user cryptographic salt, to convert plaintext passwords into a one-way hash.

The scheme is the standard protection provided by VBulletin, the Web software used on both the Ubuntu and MacRumors forums. Still, many password experts consider the MD5 with or without salt to be an inadequate means of protecting stored passwords. They say that while per-user salt slows down the time it takes to crack large numbers of passwords in unison, it does little or nothing to delay the cracking of small numbers of hashes. That means the scheme deployed by MacRumors does nothing to prevent the decoding of individual hashes that may be targeted because of the attractiveness of the specific user it belongs to—a high-ranking executive or celebrity, for instance, or people whose e-mail addresses belong to Fortune-500 domains.

Readers who had MacRumors accounts would do well to follow Kim's advice and immediately change login credentials that use the same or similar password. They should also be vigilant of phishing attempts, since their user names and e-mail addresses have also been exposed.

I wasn't a user of macrumors, but I just did a password audit and changed a whole bunch of duplicate passwords. I'm definitely moving towards disposable e-mails (and random usernames if needed), with generated random passwords. I recommend lastpass, keepass, etc. pretty much anything is better than using the same password (and other identifiable information) on more than one site.

At this point with a new vulnerability or DB dump seeming to happen every week, it's more than likely that a site I interact with is going to be compromised eventually.

I feel that I should thank you. Your (entirely justified) obsession, with the parlous state of password security is one of several things* that finally tipped me over the edge. I now use a password manager. Your persistence in reporting this stuff clearly is great; it's a useful resource that I can use to explain to the doubtful, too.

I am especially keen on long, generated line noise passwords on random websites- my Ars password looks like cat typing now. Hopefully, no-one gets a free ride. As I remember/come across old website accounts, I migrate them into Keepass.

Articles like this now terrify me less, instead evincing the "dodged a bullet" reflex.

Oh, and I heard you on a surpisingly good BBC Radio 4 programme about password weakness recently. You sound all wrong- you're not that American in my head